'Is there a way to search for federated Teams users in Microsoft graph?
In the Teams client, you can search for any open federated users using the top search box. It'll give an option to search externally, which will return a federated user if the address matches. I'm trying to find a way to replicate this in an application, and haven't come up with a way to get it yet. Here's what I've tried so far:
- People Search (e.g. https://graph.microsoft.com/v1.0/me/people?$search="[email protected]") doesn't return anything.
- User search (e.g. https://graph.microsoft.com/v1.0/users) only returns users in the same AAD (as expected)
What I'm really interested in getting is the AzureAD guid (user's unique ID) and I can't find a way to get that without having an app to query the user's specific tenant. Is this something that's possible to get through graph, or will it need to be Tenant specific? Thought is that if the Teams client can do this for open federated users, then shouldn't an app have access to the same data?
Solution 1:[1]
So I sort of found an answer to this in creating a multitenant graph application. I never really understood how those worked, but it finally clicked. To set one up, in your home tenant create an AAD app as usual, set it as multitenant, and assign it the API permissions you need (User.Read.All, User.ReadBasic.All etc.). It'll show up in app registrations, and you can auth using secrets/certs etc. Then in a target tenant, have someone hit this URL: https://login.microsoftonline.com/TENANTID/adminconsent?client_id=APPID where TENANTID is the target tenant's ID, and APPID is the appid from your AAD. Once consented (user/admin depending on permissions), the app will show in the "Enterprise applications" section of the target tenant's AAD.
Once you have this, you'll be able to search users on that target tenant. The challenge here is that you'll need to know the tenant ID you're searching, and have a user specifically grant permission to do it, rather than it being a federated search. Not ideal, but that's about all you can do with graph.
What would be useful here would be to have the same capabilities as the Teams client to get federated user information as an application in any tenant. Since the client can do this interactively, any open federated organization should be searchable by a graph application (perhaps using an "include external" flag in the search). I wouldn't expect anything other than the user GUID and presence, but for my case (ACS/Teams interop) that would be enough.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | Chris Bardon |